Security Experts:

Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

Why Fighting Card-Not-Present Fraud Remains an Ongoing Challenge

The recent takedown of the xDedic marketplace—where threat actors had been buying and selling access to compromised remote desktop protocol (RDP) servers since at least 2016 and that, according to authorities, had facilitated over $68 million USD in fraud—is the latest reminder that fraudulent card-not-present (CN

The recent takedown of the xDedic marketplace—where threat actors had been buying and selling access to compromised remote desktop protocol (RDP) servers since at least 2016 and that, according to authorities, had facilitated over $68 million USD in fraud—is the latest reminder that fraudulent card-not-present (CNP) transactions remain a persistent and dynamic challenge for fraud teams. 

For many fraudsters, xDedic was among the various illicit online marketplaces that helped fill a void created in recent years by payment card issuers’ migration from magnetic stripe to EMV chip-enabled cards. EMV authentication has made card counterfeiting and fraudulent card-present transactions exceedingly difficult and consequently less common in regions with high adoption of EMV. But in response, many fraudsters have since altered their targeting to CNP transactions, often via schemes such as account-takeover fraud that utilize access to the types of compromised RDP servers that were available on xDedic. 

This shift, along with the growth of ecommerce, has contributed to a substantial increase in CNP fraud—otherwise known as fraudulent transactions that occur online, via telephone, or mail. This type of fraud is typically more challenging to detect than its card-present counterpart, largely because merchants cannot access the physical cards used in CNP transactions to verify their legitimacy. As a result, many of the common verification measures for card-present transactions, such as requiring the purchaser to provide a form of identification, aren’t feasible.

While there are various largely effective verification measures for CNP transactions, some can still be circumvented by fraudsters with the right capabilities and resources. These types of transactions often require the purchaser to input the billing address associated with the card, for example, but many fraudsters are able to obtain this information fairly easily via sources ranging from public listings and social media sites, to the illicit marketplaces where stolen card data is bought and sold. Fraudsters often acquire such data long before using it to carry out a fraudulent transaction, which is why there is relatively little that merchants can do to combat the theft of payment card data aside from effectively safeguarding that which belongs to their customers.

Indeed, the abundance of compromised card data and other assets available online continues to hinder the fight against CNP fraud. Despite many gains by law enforcement in recent years, card shops and other types of illicit marketplaces similar to the now-shuttered xDedic remain facets of the underground economy and key enablers for CNP fraud. 

Card shops in particular have become the primary means through which fraudsters and cybercriminals obtain stolen payment card data. In addition to dumps—which refer to card data stolen from magnetic-stripe cards that are typically used for card-present fraud—many of these shops also offer cards, which are packages of previously stolen card numbers and other information necessary for carrying out CNP fraud and related schemes. These shops are extremely appealing in the underground because they enable fraudsters to quickly and easily obtain the stolen data they need without having to steal it themselves, thereby lowering the barriers to entry for those with less-advanced capabilities or limited resources.

It’s important to recognize that given the pervasiveness of CNP fraud and the relative ease with which many fraudsters can obtain the resources needed to carry out their schemes, this threat isn’t going away anytime soon. And although the burden of loss it causes will likely continue to fall most heavily on merchants, combating this threat needs to be a widespread, collaborative effort among organizations and defenders from across the private and public sectors. In fact, the xDedic takedown is a shining example of how collaboration and information sharing, when conducted effectively and among trusted parties, can provide immense value in the name of security—and this cooperation is something that all of us should continually seek to emulate.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Spanish and US authorities have dismantled a cybercrime ring that defrauded victims of more than $5.3 million.


Australian authorities sentence Sydney man for using leaked data stolen from wireless carrier Optus to conduct SMS scams.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...